The Health Insurance Portability and Accountability Act (HIPAA) is a set of Privacy, Security and Breach Notification federal legislative standards, which govern the use and disclosure of an individual’s protected health information, on paper and electronically. The HIPAA covered entities are: health plans, health-care clearinghouses, healthcare providers, such as doctors, psychologists and hospitals and service providers, such as pharmacists, to the covered entities.

According to HHS, the HIPAA Privacy Rule does the following:

  • Gives patients more control over their health information
  • Sets boundaries on the use and release of health records
  • Enables patients to find out how their information may be used, and about certain disclosures of their information that have been made
  • Generally, limits the release of the information to the minimum reasonably needed
  • Generally, gives the patients the right to examine and obtain a copy of their own health records and request corrections
  • Empowers individuals to control certain uses and disclosures of their health information
  • Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information
  • Holds violators accountable, with civil and criminal penalties that can be imposed if they violate patient’s privacy rights
  • Strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health

The federal agencies and advisory committees involved in privacy and security policy include:

OCR Health App Developer Portal  OCR’s guidance on when and how the Health Insurance Portability and Accountability Act (HIPAA) regulations apply to mobile health applications, including:

HHS Office for Civil Rights (OCR)
OCR has regulatory and enforcement authority for the HIPAA Privacy and Security rules and issues guidance and interpretations of the HIPAA rules.

HHS Office of the National Coordinator (ONC)
ONC is charged with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of health information; includes examining and recommending practices that protect privacy and promote security.

  • HHS Health IT Policy Committee (HITPC)
    The HIT Policy Committee makes recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information.
  • HITPC’s Privacy and Security Workgroup
    ONC has organized a workgroup (subcommittee) under the auspices of the HIT Policy Committee to move forward on a range of privacy and security issues.
  • HHS Health IT Standards Committee (HITSC)
    The HIT Standards Committee makes recommendations to the National Coordinator for Health IT on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.

Centers for Medicare and Medicaid Services (CMS)
CMS administers the Medicare and Medicaid EHR Incentive Programs; privacy and security are important components of the program’s implementation.

Cybersecurity and Infrastructure Security Agency (CISA)

Federal Communications Commission (FCC)
The FCC regulates interstate and international communications by radio, television, wire, satellite and cable.  In the healthcare area, the FCC authorizes a wide variety of radiofrequency-based medical devices including both implanted devices (e.g., heart pacemakers) and patient monitoring devices (e.g., wireless telemetry).

Federal Trade Commission (FTC)
Privacy is a central element of the FTC’s consumer protection mission; FTC educates consumers and businesses about the importance of personal information privacy, including the security of personal information.

Food and Drug Administration (FDA)
The FDA encourages further development of mobile medical applications (“apps”) that improve health care and provide consumers and health care professionals with valuable health information very quickly. The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications.

Department of Homeland Security (DHS)

National Committee on Vital and Health Statistics (NCVHS)
NCVHS was established by Congress to serve as an advisory body to the Department of Health and Human Services (HHS) on health data, statistics and national health information policy.

National Institute of Standards and Technology (NIST)
NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.